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Overview 

The  Problem: 

•  How  to  recognize  Insecure  Code? 
Techniques: 

•  Automated  Security  Checking 

•  Static  Analysis 

•  Abstract  Syntax  T ree  (AST) 

•  ROSE 

So  how  do  we  actually  use  ROSE? 
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Agenda 

We  will  build  a  rule  checker,  showing  how  ROSE 
helps  us. 

•  ROSE  Setup 

•  ROSE  Documentation 

•  Background 

•  Design 

•  Examining  Source  Code  using  ROSE 

•  Code 

•  Run  &  Test 

•  Useful  ROSE  Functions 
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What  is  ROSE? 


Developed  at  Lawrence  Livermore  National  Labs  (LLNL) 

•  Analyzes  program  source  code 

•  Produces  Abstract  Syntax  Tree  (AST) 

•  Can  then  be  used  for  static  analysis 

We  will  use  ROSE  to  enforce  secure  coding  rules 
http : / / rosecompiler . org/ 
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Rosebud 


Rosebud  is  a  Virtual  Machine  that  is  useful  for  working  with 
Rose. 


•  Rose  and  the  checkers  are  already  built;  no  need  to 
compile 

•  Cross-platform,  runs  as  a  VM 

•  Includes  popular  developer  tools  (Eclipse,  emacs,  etc) 
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Rosebud  2 


Download  the  ‘rosebud’  VM  from 


rosecheckers . sourcef orge . net 


You  will  need  VMWare  Player,  to  run  Rosebud.  VMWare 
Player  is  freely  available  at: 

downloads . vmware . com 


Extract  the  Rosebud  package  and  start  VM  Player. 
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Rosebud  3 


In  VMPlayer,  select  Open  an  Existing  Virtual  Machine. 

When  it  prompts  you  for  a  virtual  machine  (VM)  to  open,  go  to 
the  rosebud  directory,  and 

Select  rosebud. vmx.  This  'boots  up'  the  Rosebud  virtual 
machine.  After  a  few  seconds,  a  login  prompt  will  appear. 

Enter  username:  rose  password:  roserose 

The  system  will  then  re-prompt  you  for  the  password,  re-enter 
it. 

The  system  will  then  give  you  a  command-line  prompt  (a 
single  %) 

Type  startx  <RETURN>.  This  will  bring  up  the  GUI. 
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Rosebud  4 


After  desktop  turns  blue,  right-click  on  the  desktop.  This  brings 
up  the  program  menu. 


You  should  now  be  able  to  build  and  test  the  rules. ..you  can 
do  this  with  these  commands  in  a  terminal: 


cd  ~/src/rosecheckers 
make  tests 
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ROSE  Setup  on  Andrew 


Your  environment  should  contain  the  following: 

setenv  ROSE  /afs/andrew/usr/svoboda/public/rose 
setenv  LD_LIBRARY_PATH  $ROSE/lib : $LD_LIBRARY_PATH 
setenv  PATH  $ROSE/bin : $PATH 


Check  out  the  Rosecheckers  project  from  SourceForge. 

svn  checkout 

https : / /anonymous @ rosecheckers . svn . sourcef orge . net/s 
vnroot/ rosecheckers/trunk/ rosecheckers 


You  should  now  be  able  to  build  and  test  the  rules. 
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ROSE  Homepage 


File  Edit  View  History  Bookmarks  Tools  Help 


□  f  i  le:///home/svoboda/Desktop/Docu  men 

r  ^ 

Eh 

Google 

Home 

User  Manual  (pdf) 

Tutorial  (pdf) 
Programmer's  Reference 

Publications 
Download  Software 


R 


Privacy  &  Legal  Notice 


ROSE  is  a  project  to  define  a  new  type  of  compiler  technology 
which  allows  compilation  techniques  to  address  the  optimization 
of  user-defined  abstractions.  Due  to  the  nature  of  the  solution  we 
provide,  it  is  also  an  open  compiler  infrastructure  that  can  be  used 
for  a  wide  number  of  other  purposes.  The  software  developed  to 
support  ROSE  research  work  provides  an  open  general  purpose 
and  robust  compiler  infrastructure  to  support  numerous  tools  and 
external  collaborations  in  C,  C++,  and  F90. 

User-defined  abstractions  are  built  from  within  an  existing  base 
language  and  carry  specific  semantic  information  which  can't  be 
communicated  to  the  base  language's  compiler.  In  many  situations, 
the  semantic  information  could  be  useful  within  program 


Done 
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ROSE  Documentation 


User  Manual 


Full  documentation  for  the  Rose  features  and 
techniques 

Tutorial 

Guide  to  installing  ROSE  and  some  of  its  utilities 
Programmer’s  Reference 

Web-based  documentation  for  each  class  and  method 
in  ROSE. 

Generated  by 


PoKt/qcn 
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Programmer’s  Reference  i 


File  Edit  View  History  Bookmarks  Tools  Help 


^  ’  6?  ^  O 

D  file:///home/svoboda/Desktop/D< 

► 

O' 

Google 

1=]  SgGraphStorageClass 
j=1  SgGreaterOrEgualOp 
[s']  SgGreaterOrEgualOp 
js]  SgGreaterTkanOp 
[§]  SgGreaterTlianOpSto] 
[s]  SglfdefDirectiveStatc 
js]  SglfdefDirectiveStatc 
[=1  SglfDirectiveStatemc 
[=1  SgIfDirectiveStatem« 
[s]  SglfndefDirectiveStal 
[s]  SglfndefDirectiveStal 
g|  jSglfStmtj 
js]  SglfStmtStorageClas 
[s]  SglmplicitStatement 
Is]  SglmplicitStatement 
js]  SglmpliedDo 
js]  SgImpliedDoStorage( 
[j]  Sglmport Statement 
[s]  SglmportStatementSt 
js]  SglncludeDirectiveSt 
[s]  SglncludeDirectiveSt 
[s]  SglnitializedName 
s]  SglnitializedNameSt 
| s]  Sglnitializer 
js]  SglnitializerStorage1 


Main  Page  |  Modules  |  Namespace  List  |  Class  Hierarchy  |  Class  List  | 
File  List  |  Namespace  Members  |  Class  Members  |  File  Members  | 
Related  Pages 


SglfStmt  Class  Reference 


^include  <x*_Gramnar.  h> 

Inheritance  diagram  for  SglfStmt: 


SgNode 


SgLocatedNode 


Sg  Statement 


SgScopeStatement 


SglfStmt 


Collaboration  diagram  for  SglfStmt: 


[legend] 


Done 
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Programmer’s  Reference  2 


File  Edit  View  History  Bookmarks  Tools  Help 


^  ^  ~  0  Q  A 

□  file:///home/svoboda/Desktop/Documents/Work/ros< 

-  ► 

Eh 

Google 

lv 

Done 


\ 
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allocation  mutex 


J 
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Programmer’s  Reference  3 


File  Edit  View  History  Bookmarks  Tools  Help 

V  •  •  @ 


□  file:///home/svoboda/Desktop/Dc 

r 

G  ’ 

Google 

E~|  SgAssociateStatem 
[¥~]  SgAsteriskShapeExp 
Q  SgAsteriskSliapeExpS 
-  SgAttribute 

=1  SgAttributeSpecifical 
[g]  SgAttributeSpecifical 
=~[  SgAttributeStorageC] 
=~|  SgBackspaceStateme 
:i"|  SgBackspaceStateme 
[g~]  SgBaseClass 
=1  SgBaseClassModifiei 
gf|  SgBaseClassModifiei 
[g~|  SgBaseClassStorage( 
[ii  SgBasicBlock 
£~|  SgBasicBlockStorag< 
|f|  SgBinaryNode 


void 

set_conditional  (SgStatement  ’conditional) 

Access  function  for  p -Conditional  See  Conditional)  condition 
for  documentation. 

▲ 

SgBasicBlock  * 

get_true_body  ()  const 

Access  function  for  p_true_body.  See  const  true_body  for 
documentation. 

— 

void 

set_true_body  (SgBasicBlock  *true_body) 

Access  function  for  p_true_body.  See  *true_body)  true_body  j 
documentation. 

SgBasicBlock  * 

get_false_body  ()  const 

Access  function  for  p_false_body.  See  const  false_body  for 
documentation. 

void 

set_false_body  (SgBasicBlock  *false_body) 

Access  function  for  p_false_body.  See  *false_body)  false_body 
documentation. 

std::  string 

get_stringLlabel  ()  const 

void 

set_string_label  (std::string  stringjabel) 

SgLabelRefExp  * 

get_end_numeric_label  ()  const 

virtual 

-SglfStmt  () 

This  is  the  destructor.  There  are  a  lot  of  things  to  delete,  hut 
nothing  is  deleted  m  this  destructor. 

SglfStmt  (Sg_File_lnfo  ♦  startO  fC  onstruct.  SgStatement 
•conditional NULL,  SgBasicBlock  *true_body=NULL, 
SgBasicBlock  *false_body=NULL) 

SnlfStmt  I  SaSItataniant  *rnnditinnal  SnRacifBlnrlf 


Ll 


Done 
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Building  a  Rule  Checker 

We’ll  study  rule  STR3UC 


File  Edit  View  History  Bookmarks  Tools  Help 

A 


h ttps:// www.secu recoding. cert. c  ~ 

r  [* 

O' 

Google 

^Getting  Started  ©Latest  BBC  Headlines 


c  F 

R 

1 

r 

V/L 

n 

1 1 

Software  Assurance 

Secure  Systems 

Organizational  Security 

Coordinated  Response 

Dashboard  >  Secure  Coding  >  ...  >  07.  Characters  and  Strinas  (STR)  >  STR31-C.  Guarantee 


hat  storaae  for  strinas  has  sufficient  space  for  character  data  and  the  null  terminator 


Search 


Log  In  |  Sign  Up 


Standards 

Overview 
C  Language 

C++ 


CERT  Websites 


Secure  Coding 


STR.31-C.  Guarantee  that  storage  for  strings  has 
sufficient  space  for  character  data  and  the  null 


iCient  space 
terminator 


Added  by  Confluence  Administrator ,  last  edited  by  Robert  Seacord  on  Dec  07,  2007  (view  change  I 
I  ahelc;  rule  nths  array 


Done 


www.securecoding.cert.org  ca 
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Test  Cases 


Before  coding,  we  need  at  least  one  positive  test  case  and 
one  negative  test  case,  These  will  prove  to  us  that  the  code 
works. 

The  test  directory  contains  compliant  and  noncompliant 
code  examples... all  compliant  examples  pass  all  the  secure 
coding  rules.  The  noncompliant  code  examples  each  fail  a 
single  secure  coding  rule. 


Our  first  two  test  files  will  be  test/c .  ncce .  wiki .  str  .  c 
and  test/ c . cce . wiki . STR . c 
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Non-Compliant  Code  Example 


#include  <string.h> 

#include  <stdlib.h> 

int  main ( )  { 

/*  ...  */ 
char  buff [256] ; 

strcpy (buf f ,  getenv ( "EDITOR" ) ) ; 

/*  ...  */ 
return  0 ; 

} 


From  test/c . ncce  .wiki  .  STR.  c 


r\ 

(CERT 


Software  Engineering  Institute  Carnegie  Melk>n 


17 


Compliant  Code  Example 


#include  <string.h> 

#include  <stdlib.h> 

int  main ( )  { 

/*  ...  */ 
char*  editor; 
char*  buff; 

editor  =  getenv ( "EDITOR" ) ; 
if  (editor)  { 

buff  =  (char*)  malloc (strlen (editor) +1) ; 
if  ( !buf f )  { 

/*  handle  malloc ()  error  */ 

} 

strcpy(  buff,  editor); 


} 

/*  ...  */ 
return  0 ; 


From  test/c .  cce  .wiki  .  STR.  c 


} 
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Design  Idea 


#include  <string.h> 
#include  <stdlib.h> 


int  main ( )  { 

/*  ...  */ 
char  buff [256] ; 


An  attacker  can  compromise  the 
system  by  setting  the  EDITOR 
environment  variable  to  a  string 
larger  than  256  chars! 


2nd  arg  to  strcpy  ( )  is  a  char* 


strcpy (buff ,  getenv ( "EDITOR" ) ) ; 

/*  ...  */ 
return  0 ; 


getenv ( )  makes  no 
promise  about  the  size 
of  the  string  it  returns! 


1 st  arg  to  Strcpy  ( )  is  a  local  char  [  ] 


We  could  flag  any  instance  of 
strcpy  ()  where  the  1st  arg  is  a  local 
fixed  array  and  the  2nd  arg  is  a  pointer. 
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Other  Test  Cases 


STR31-C  has  many  other  positive  and  negative 
examples,  which  we  could  include  when  testing 
our  rule. 


•  Can  we  test  them  all? 

•  Will  our  idea  of  checking  strcpy  ( ) ’s  arguments 
work  on  them? 

If  not,  how  can  we  check  them 
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Non-Compliant  Code  Example:  (off-by-1) 


char  dest[ARRAY_SIZE] ; 
char  src [ARRAY_SIZE] ; 
size_t  i; 

/*  ...  */ 

for  (i=0;  src[i]  && 

(i  <  sizeof (dest) ) ;  i++)  { 

dest [i]  =  src[i]; 

} 

dest [i]  =  ' \0' ;  /*  ...  */ 
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Non-Compliant  Code  Example:  (strcpyQ) 


int  main(int  argc,  char  *argv[])  { 
/*  ...  */ 

char  prog_name [128] ; 
strcpy  (prog__name ,  argv  [  0  ] )  ; 

/*  ...  */ 

} 
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Compliant  Code  Example:  (strcpy_s()) 

int  main(int  argc,  char  *argv[])  { 

/*  ...  */ 

char  *  prog_name ; 

size_t  prog_size; 

prog_size  =  strlen (argv [0] ) +1 ; 

prog_name  =  (char  *) malloc (prog_size) ; 

if  (prog_name  !=  NULL)  { 

if  (strcpy_s (prog_name ,  prog_size,  argv[0]))  { 

/*  Handle  strcpy_s()  error  */ 

} 

}  else  { 

/*  Couldn't  get  the  memory  -  recover  */ 

} 

/*  ...  */ 
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Testing  Conclusions 


•  We  can’t  handle  the  off-by-1  example  with  our 
design  at  all. 

Our  current  design  will  work  on  the  strcpy() 
example  without  any  modifications. 

•  We  should  add  the  strcpy()  example  to  our  test  suite,  in 

test/ c . ncce . wiki . STR . c 

Our  design  won’t  work  on  the  strcpy_s()  example, 
but  we  could  always  extend  it  to  recognize  the 
arguments  to  strcpy_s()  as  well  as  strcpy(). 

•  We  should  note  this  as  a  task  to  be  done  later. 
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Checker  Design  for  STR31-C 

1 .  T raverse  AST. 

2.  For  each  strcpy  ()  function  call 

1 .  Get  both  arguments  to  strcpy  ( ) .  If 

2.  1 st  argument  is  a  variable  AND 

3.  the  variable’s  type  is  a  fixed-length  array  AND 

4.  2nd  argument’s  type  is  NOT  a  fixed-length  array 
•  Report  a  violation  of  STR31-C! 
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Design  Limitations 


•  Will  report  all  cases  of  strcpy  (  char  [  ]  , 
char*)  ,  including  false  positives. 

•  Will  not  report  any  other  cases  of  strcpy  ( ) , 
including  false  negatives 

•  Will  not  catch  other  string-copy  functions  like 
strncpyO  ,  strcpy_s()  ,  or  memcpyO  . 

•  Will  not  catch  string-copying  done  ‘by  hand’  (for 
instance,  our  off-by-1  example) 
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Design  Conclusions 


Designing  checkers  helps  to  ‘flesh  out’  secure 
coding  rules. 

•  Be  aware  of 

•  false  positives 

•  false  negatives 

•  A  checker  does  not  need  to  be  complete  to  be 
useful. 

It’s  OK  to  write  more  than  one  checker  for  a  rule. 

Don’t  worry  about  pathological  cases,  focus 
primarily  on  violations  likely  to  occur  ‘in  the  wild’. 
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ROSE  In  Action 


When  we  run  our  ROSE  program,  called  diagnose,  on  our  insecure 
source  code,  we  get  an  error  message: 

%  . /rosecheckers  test/c . ncce .wiki . STR. c 

c . ncce . wiki . STR. c : 7 :  error:  STR31-C:  String  copy 
destination  must  contain  sufficient  storage 

Q, 

'O 

If  we  run  rosecheckers  on  a  secure  program,  we  get  no  output: 

%  ./rosecheckers  test/c.cce. wiki. STR. c 

Q, 

"o 


So  our  rosecheckers  program  acts  like  a  compiler,  or  lint. 
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ROSE  integrated  with  Emacs 


* 

int  mainO  { 

/*  ...  */ 

Gkar  but f [256] ; 

sjtrcpy(buff ,  getenvC’EDITOR’*)) ; 

^Jerror.  STR31-C:  String  copy  destination  must  contain  sufficient  storage 

} 


STR31  C  getpnv.r  Rot  (12,0)  (C/1  Flyiiwkp;1/0  Ahbfpv) — 

- 

STR31_C_getenv.c:  1  error(s),  0  warning(s)  in  0.27  second(s) 

j 
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Example  Source  Code 


#include  <string.h> 
#include  <stdlib.h> 


int  main ( )  { 

/*  ...  */ 
char  buff [256] ; 
strcpy (buf f ,  getenv ( "EDITOR" ) ) ; 

/* 

ret 
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Source  Code  Syntax  Tree 


The  command 

cpp2ps  -t  foo.c  foo.c.ps 
dot2ps  f oo . c . dot 

produce  a  PostScript  file  f oo .  c .  dot .  ps  that 
contains  the  Abstract  Syntax  Tree  (AST)  of  the 
source  code. 

On  rosebud,  the  gv  program  can  be  used  to  view 
PostScript  files. 

gv  foo. c.dot.ps 
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Abstract  Syntax  Tree  i 


#include  <string.h> 

#include  <stdlib.h> 

int  main()  { 

/*  ...  */ 

char  buff [256]; 

strcpy(buff,  getenv("EDITOR")); 

/* ...  */ 

return  0; 

} 
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Abstract  Syntax  Tree  3 
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AST  Attributes 


The  command 

cpp2pdf  f oo . c 

produces  a  PDF  f oo .  c .  pdf  that  contains  the 
source  code  AST,  and  also  shows  each  class's 
attributes 

On  rosebud,  the  xpdf  program  can  be  used  to  view 
PDFs. 

xpdf  f oo . c . pdf 
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AST  Attributes  cont 


File  Edit  View  Go  Help 


Index 

▼ 

□ 

^  SgFile 

1 

— 

^  SgGlobal  (compilerGenerated:... 

2 

^  SgFunctionDeclaration  (com... 

3 

SgFunctionParameterList  (... 

4 

^  SgFunctionDefinition  (com... 

5 

v  SgBasicBlock  (compilerG... 

6 

^  SgVariableDeclaration  ... 

7 

SglnitializedName 

8 

^  SgExprStatement  (co... 

9 

— 

^  SgFunctionCallExp  (c... 

10 

SgFunctionRefExp  ... 

11 

^  SgExprListExp  (co... 

12 

SgVarRefExp  (co... 

13 

^  SgCastExp  (com... 

14 

w 

pointer  :0xb35360 


Click  here  to  go  to  the  parent  node 


SgNode*  p_parent  :K)xb4ca7d 
bool  pJsModified  :  0 

$CLASSNAME*  p  freepointer  :  Oxffffffffffffffff 
static  SgFunctionTypeTable*  p_globalFunctionTypeTable  OxbafO 
static  std::map<SgNode*,std::string>  palobalMangledNameMap  : 

static  std::map<std ::string,  int>  p_shortMangledNameCache  : _ c< 

Sg_File_lnfo*  p_startOfConstruct  :  0xb1e7a0 
Sg_File_lnfo*  p_endOfConstruct  :  0xb1e800 
AttachedPreprocessinglnfoType*  p_attachedPreprocessinglnfoPtr 
AstAttributeMechanism*  p_attributeMechanism  0 
bool  p_need_paren  0 
bool  pjvalue  :  0 

bool  p  global_qualified_name  :  0 
Sg_File_lnfo*  p_operatorPosition  :  0 

SgFunctionSymbol*  p_symbol_i  :  0x7d6b80:  varsym  strcpy  declan 
SgFunctionType*  p_function_type  0 


EE 
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Whole  Syntax  Tree 

The  AST  does  not  contain  semantic  information,  such 
as: 

Type  Definitions 
Symbol  Tables 
Variable  Definitions 

The  Whole  AST  adds  these  bits  of  information  to  the 
AST. 


r\ 

'CERT 


Software  Engineering  Institute 


Carnegie  Mellon 


37 


Whole  Syntax  Tree  2 


char*  strcpy (char* ,  char*) ; 
char*  getenv (char*) ; 

int  main()  { 

char  buff [256]; 

strcpy (buff ,  getenv ( "EDITOR" ) ) ; 
return  0 ; 


} 


r 

A 

f 

r 

A 

FunctionDecl arati on 

Functi onDecl arati on 

Functi onDecl arati on 

V _ 

_ 

— 

_ > 

V _ 

_ y 

dest 


ParameterList 


SL. 


Initi al i zedName 


r 

\ 

ParameterList 

V 

name _ 5 

2 _ 

Ini  ti al  i zedName 

Initial  i  zedName 


Vari abl eDecl arati on 


FunctionTypeTabl  e 


■-.1 


I 


SymbolTabl  e 


main 


| Functi onTypeSymbol 
_ getenv 

I Functi onTypeSymbol  | 

strcpy 


Functi onTypeSymbol 


SymbolTabl  e 


main 


I 


|  Functi onSymbol 
getenv 
I Functi onSymbol 

strcpy 


2 


Functi onSymbol 


|  ParameterTypeLi  st~|<] - 

1  ParameterTypeLi  st  [<3- 


- - - strcpy 

-1  Functi  q5I2e>-=- 


I — _ .  getenv 

A  FiinrtTnfiE2B>”- 


SymbolTabl  e 


SymbolTabl  e 


UnsignedLongVal 


y  buff 


Vari abl eSymbol 


Project 


File 


Global 


r - 

Functi onDeclarati  on 

— 

r  > 

Functi onDeclarati  on 

•- 

r  \ 

Functi onDeclarati on 
v _ 

f  ^ 

r - 

r  \ 

ParameterLi  st 

ParameterLi st 

ParameterList 

FunctionDefinition 

V  ^ 

— 

- y 

V  J 

f 

Initial izedName 
•- 

Functi onCallExpr 

IntVal ue 

functi on 


Functi onReference 


ExprLi stExpr 


buff 


Vari  abl  eRefExpr 


Functi onCallExpr 


1  i 


FunctionReference  ExprListExpr 


Whole  Syntax  Tree  3 
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Whole  Syntax  Tree  4 

File  View  Help 
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How  rosecheckers  Uses  ROSE 


#include  "rose . h" 
#include  "utilities .h" 


ROSE  parses  source  code 


int  main (  int  argc ,  char*  argv [ ] )  {  / 

SgProject*  project  =  frontend (argc , argv) ; 
ROSE_ASSERT(  project  ); 
visitorTraversal  exampleTraversal ; 
exampleTraversal . traverselnputFiles ( 


project,  preorder) ; 


} 


return  0 ; 
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AST  Node  Analysis 


This  is  called  for  each  node  in  the  AST: 

bool  EXP (const  SgNode  *node)  { 
bool  violation  =  false; 
violation  |=  EXP01_A (node) ; 
violation  |=  EXP09_A (node) ; 
violation  |=  EXP34  C(node); 


return  violation; 


Each  routine  here  enforces  a  single 
CERT  Secure  Coding  Rule,  and  returns 
true  if  the  node  indicates  a  violation. 


} 


Similar  code  exists  for  other  sections  str,  mem,  etc 
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ROSE  Checker  Skeleton 


#include  "rose.h" 
#include  "utilities . h" 


bool  STR31_C (const  SgNode  *node  )  { 

//  ensure  sufficient  storage  for  strings 
/*  */ 


} 


bool  STR (const  SgNode  *node)  { 
bool  violation  =  false; 

/*  ...  */ 

violation  |=  STR31_C (node) 
return  violation; 

} 


This  routine  will  be 
called  for  every  node  in 
the  AST.  We  want  it  to 
print  an  error  message 
and  return  true  exactly 

once  when  run  on  our 
non-compliant  example. 
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Current  Status 


How  do  we  do  this? 


bool  STR31_C (const  SgNode  *node  ) 
{ 

/*  ■?■?■?  */ 

} 

bool  STR (const  SgNode  *node)  { 
bool  violation  =  false; 

/*  ...  */ 

violation  |=  STR31_C (node) ; 
return  violation; 

} 
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Traverse  AST.  -==1  done 

For  each  strcpyO  function 
call 

1 .  Get  both  arguments  to 
strcpy  () .  If 

2.  1st  argument  is  a 
variable  AND 

3.  the  variable’s  type  is  a 
fixed-length  array  AND 

4.  2nd  argument’s  type  is 
NOT  a  fixed-length 
array 

•  Report  a  violation  of 
STR31-C! 
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Utility  Functions  from  utilities  .h 

/ /  Returns  non-NULL  if  node  is  a  call  of 
//  function  with  given  name 

const  SgFunctionSymbol  *isCallOfFunctionNamed ( 

const  SgNode  *node,  const  std: : string  &name) ; 

//  Returns  reference  to  ith  argument 

//  of  function  reference.  Dives  through  typecasts. 

/ /  Returns  NULL  if  no  such  parm 
const  SgExpression*  getFnArg ( 

const  SgFunctionRefExp*  node,  int  i) ; 

void  print_error ( 

const  SgNode*  node,  const  char*  rule, 
const  char*  desc,bool  warning  =  false) ; 
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Current  Status 


bool  STR31_C (const  SgNode  *node  ) 
{ 

if  ( ! isCallOf FunctionNamed ( 
node ,  " s  tr cpy " ) ) 

return  false; 

/*  */ 


At  this  point,  node  will 
always  point  to  a 
strcpyO  function  call 
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Traverse  AST. 

For  each  strcpyO  function 
call 


1 


DONE 


Get  both  argumentsTcr 

strcpy  () .  If 

1st  argument  is  a 
variable  AND 

the  variable’s  type  is  a 
fixed-length  array  AND 

2nd  argument’s  type  is 
NOT  a  fixed-length 
array 

•  Report  a  violation  of 
STR31-C! 
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The  isSg  Family 

A  set  of  useful  functions  that  are  useful  for  typecasting  a 
SgNode*  into  an  appropriate  node  type.  They  return  null  if 

the  node  is  the  wrong  type. 

const  SgNode*  node; 
const  SgFunctionRefExp*  sig_fn 
=  isSgFunctionRefExp (  node); 
if  (sig_fn  ==  NULL)  { 

cerr  «  "Node  is  not  a  " 

«  "SgFunctionRefExp!"  «  endl; 

} 
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Current  Status 


bool  STR31_C (const  SgNode  *node  ) 
{ 

if  ( ! isCallOf FunctionNamed ( 
node ,  " s  tr cpy " ) ) 

return  false; 


const  SgVarRefExp*  ref  = 

isSgVarRefExp (  getFnArg ( 
isSgFunctionRef Exp (node) ,  0) ) 

if  (ref  ==  NULL) 

return  false; 


/ 


*  999 


Traverse  AST. 

For  each  strcpyO  function 
call 

1 .  Get  both  arguments  to 
strcpy  () .  If 

2.  1st  argument  is  a 
variable  AND 


At  this  point,  ref  refers  to 
the  1 st  arg  of  strcpy  ( ) 
and  it  is  a  variable. 


DONE 


the  variable’s  type  is  a 
fixed-length  array  AND 

2nd  argument’s  type  is 
NOT  a  fixed-leng 
array 


h 


Report  a  violation  of 
STR31-C! 
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Current  Status 


bool  STR31_C (const  SgNode 
*node  )  { 

if  ( ! isCallOf FunctionNamed ( 
node,  "strcpy") ) 

return  false; 


const  SgVarRefExp*  ref  = 

isSgVarRefExp (  getFnArg ( 
i sSgFunctionRef Exp (node) ,  0) ) 

if  (ref  ==  NULL) 


return  false; 

if  ( ! Type (  getRefDecl ( 
>get_type ( ) ) . is Array ( ) ) 

return  false; 


DONE 


} 


/*  ???  */ 
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Traverse  AST. 


For  each  strcpy  ()  function 
call 

1 .  Get  both  arguments  to 

strcpy  () .  If 

2.  1st  argument  is  a 
variable  AND 


the  variable’s  type  is  a 
fixed-length  array  AND 

2nd  argument’s  type  is 
NOT  a  fixed-length 
array 

•  Report  a  violation  of 
STR31-C! 
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Current  Status 


const  SgVarRefExp*  ref  = 

isSgVarRefExp ( 
getFnArg ( 

isSgFunctionRef Exp (node) , 

0))  ; 

if  (ref  ==  NULL) 

return  false; 

if  ( ! Type (  getRefDecl ( 
ref)  - 

>get_type ( ) ) . is Array ( ) ) 
return  false; 
if  (Type (  getFnArg ( 
isSgFunctionRef Exp (node) , 

1 ) ->get_type ( ) ) . isArray ( ) ) 

return  false;  _ ^ 

DONE 
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Traverse  AST. 

For  each  strcpyO  function 
call 

1 .  Get  both  arguments  to 
strcpy  () .  If 

2.  1st  argument  is  a 
variable  AND 

3.  the  variable’s  type  is  a 
fixed-length  array  AND 

4.  2nd  argument’s  type  is 
NOT  a  fixed-length 

^  array 

•  Report  a  violation  of 
J  STR31-C! 
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ROSE  Checker  for  STR31-C 


#include  "rose.h" 
#include  "utilities . li 


Called  for  every  node  in  the  AST. 


bool  STR31_C (const  SgNode  *node  )  { 

//  ensure  sufficient  storage  for  strings 
if  ( ! isCallOf FunctionNamed (  node,  "strcpy") ) 
return  false;  — - - — - 


We  have  an  instance  of  strcpy  () 


const  SgVarRefExp*  ref  = 

isSgVarRefExp (  getFnArg (  i sSgFunctionRef Exp (node) ,  0) ) ; 
if  (ref  ==  NULL) 

return  false;  //  strcpy ()  not  copying  into  simple  var 
if  ( ! Type (  getRefDecl (  ref) ->get_type ( ) ) . isArray ( ) ) 

return  false;  - - - - 

if  (Type (  getFnArg (  i sSgFunctionRef Exp (node) , 

1 ) ->get  type ( ) ) . isArray ( ) ) 


1st  arg  is  a  local  fixed  array 


return  false; 


2nd  arg  is  a  pointer  (eg  NOT  an  array 


print_error (  node,  "STR31-C",  "String  copy  destination  must  contain 
sufficient  storage") ; 

return  true; 
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Build  and  Test 

To  rebuild  rosecheckers  with  a  new  rule,  type 
make  pgms 

To  test  rosecheckers  on  all  rules,  type 
make  tests 
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Testing  New  Rule 


When  run  on  the  bad  example,  rosecheckers  produces  an 
error  message: 

%  ./rosecheckers  test/c . ncce .wiki . EXP . c 

EXP.c:5:  error:  EXP09-A:  malloc  called  using 
something  other  than  sizeof() 

O, 

'O 


When  run  on  the  good  example,  rosecheckers  produces 
nothing. 

%  ./rosecheckers  test/c . cce .wiki . EXP . c 

O, 

*o 
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Useful  ROSE  Functions 


•  isSg*** (node) 

•  unparseToString ( ) 

•  query SubTree (SgNode*  node,  type) 
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unparseToString ( ) 

Returns  a  string  representation  of  the  source  code 
associated  with  a  node.  Useful  for  debugging: 

const  SgNode*  node; 
cout  «  "Node :  " 

«  node->unparseToString ( ) 

«  endl ; 
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query SubTree (node ,  type) 

Traverses  the  AST  that  descends  from  node.  Returns  a  list  (a 
std:  :  vector,  actually)  of  all  subnodes  of  appropriate  type. 

const  SgNode*  node; 

Rose_STL_Container<SgNode  *>  nodes 
=  NodeQuery : : querySubTree ( 

const_cast<SgNode*> (  def) ,  V_SgVarRefExp) ; 
Rose_STL_Container<SgNode*> : : iterator  i ; 
for  (i  =  nodes .begin () ;  i  !=  nodes. end();  ++i)  { 

cout  «  "A  SgVarRefExp:  " 

«  (*i) ->unparseToString ()  «  endl; 

} 

Note  that  querySubTree  requires  a  non-const  SgNode*  as  1st 
argument. 
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Questions 


